package org.xdi.oxauth.model.token;

import com.google.common.collect.Lists;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONArray;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.contexts.Lifecycle;
import org.xdi.model.AuthenticationScriptUsageType;
import org.xdi.model.GluuAttribute;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCode;
import org.xdi.oxauth.model.common.IAuthorizationGrant;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.common.UnmodifiableAuthorizationGrant;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.RSAPublicKey;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.jwe.Jwe;
import org.xdi.oxauth.model.jwe.JweEncrypterImpl;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtSubClaimObject;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.ldap.PairwiseIdentifier;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.PairwiseIdentifierService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.oxauth.service.external.ExternalDynamicScopeService;
import org.xdi.oxauth.service.external.context.DynamicScopeExternalContext;
import org.xdi.util.security.StringEncrypter;

@Name("idTokenFactory")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/model/token/IdTokenFactory.class */
public class IdTokenFactory {

    @In
    private ExternalDynamicScopeService externalDynamicScopeService;

    @In
    private ExternalAuthenticationService externalAuthenticationService;

    @In
    private ScopeService scopeService;

    @In
    private AttributeService attributeService;

    @In
    private ConfigurationFactory configurationFactory;

    @In
    private PairwiseIdentifierService pairwiseIdentifierService;

    public Jwt generateSignedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> set, boolean z) throws Exception {
        JwtSigner newJwtSigner = JwtSigner.newJwtSigner(iAuthorizationGrant.getClient());
        Jwt newJwt = newJwtSigner.newJwt();
        int idTokenLifetime = ConfigurationFactory.instance().getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        newJwt.getClaims().setExpirationTime(calendar.getTime());
        newJwt.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getAcrValues() != null) {
            newJwt.getClaims().setClaim("acr", iAuthorizationGrant.getAcrValues());
            setAmrClaim(newJwt, iAuthorizationGrant.getAcrValues());
        }
        if (StringUtils.isNotBlank(str)) {
            newJwt.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            newJwt.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            newJwt.getClaims().setClaim("c_hash", authorizationCode.getHash(newJwtSigner.getSignatureAlgorithm()));
        }
        if (accessToken != null) {
            newJwt.getClaims().setClaim("at_hash", accessToken.getHash(newJwtSigner.getSignatureAlgorithm()));
        }
        newJwt.getClaims().setClaim("oxValidationURI", ConfigurationFactory.instance().getConfiguration().getValidateTokenEndpoint());
        newJwt.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.instance().getConfiguration().getOxOpenIdConnectVersion());
        ArrayList arrayList = new ArrayList();
        if (z) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                org.xdi.oxauth.model.common.Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
                if (scopeByDisplayName != null && org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                    arrayList.add(scopeByDisplayName.getDisplayName());
                } else if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                    if (scopeByDisplayName.getIsOxAuthGroupClaims()) {
                        JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                        jwtSubClaimObject.setName(scopeByDisplayName.getDisplayName());
                        Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                        while (it2.hasNext()) {
                            GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                            String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                            String name = attributeByDn.getName();
                            if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                                jwtSubClaimObject.setClaim(oxAuthClaimName, name.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn.getName()));
                            }
                        }
                        newJwt.getClaims().setClaim(scopeByDisplayName.getDisplayName(), jwtSubClaimObject);
                    } else {
                        Iterator<String> it3 = scopeByDisplayName.getOxAuthClaims().iterator();
                        while (it3.hasNext()) {
                            GluuAttribute attributeByDn2 = this.attributeService.getAttributeByDn(it3.next());
                            String oxAuthClaimName2 = attributeByDn2.getOxAuthClaimName();
                            String name2 = attributeByDn2.getName();
                            if (StringUtils.isNotBlank(oxAuthClaimName2) && StringUtils.isNotBlank(name2)) {
                                newJwt.getClaims().setClaim(oxAuthClaimName2, name2.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn2.getName()));
                            }
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getJwtAuthorizationRequest() != null && iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
            for (Claim claim : iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null) {
                    Object attribute = iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true);
                    if (attribute != null) {
                        if (attribute instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) attribute;
                            ArrayList arrayList2 = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList2.add(optString);
                                }
                            }
                            newJwt.getClaims().setClaim(claim.getName(), arrayList2);
                        } else {
                            newJwt.getClaims().setClaim(claim.getName(), (String) attribute);
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(iAuthorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            newJwt.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute(this.configurationFactory.getConfiguration().getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(iAuthorizationGrant.getClient().getSectorIdentifierUri()) ? iAuthorizationGrant.getClient().getSectorIdentifierUri() : iAuthorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = iAuthorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            newJwt.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, newJwt, new UnmodifiableAuthorizationGrant(iAuthorizationGrant)));
        }
        return newJwtSigner.sign();
    }

    private void setAmrClaim(JsonWebResponse jsonWebResponse, String str) {
        ArrayList newArrayList = Lists.newArrayList();
        CustomScriptConfiguration customScriptConfiguration = this.externalAuthenticationService.getCustomScriptConfiguration(AuthenticationScriptUsageType.BOTH, str);
        if (customScriptConfiguration != null) {
            newArrayList.add(Integer.toString(customScriptConfiguration.getLevel()));
        }
        jsonWebResponse.getClaims().setClaim("amr", newArrayList);
    }

    public Jwe generateEncryptedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> set, boolean z) throws Exception {
        Jwe jwe = new Jwe();
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseAlg());
        BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseEnc());
        jwe.getHeader().setType(JwtType.JWT);
        jwe.getHeader().setAlgorithm(fromName);
        jwe.getHeader().setEncryptionMethod(fromName2);
        jwe.getClaims().setIssuer(ConfigurationFactory.instance().getConfiguration().getIssuer());
        jwe.getClaims().setAudience(iAuthorizationGrant.getClient().getClientId());
        int idTokenLifetime = ConfigurationFactory.instance().getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jwe.getClaims().setExpirationTime(calendar.getTime());
        jwe.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getAcrValues() != null) {
            jwe.getClaims().setClaim("acr", iAuthorizationGrant.getAcrValues());
            setAmrClaim(jwe, iAuthorizationGrant.getAcrValues());
        }
        if (StringUtils.isNotBlank(str)) {
            jwe.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jwe.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jwe.getClaims().setClaim("c_hash", authorizationCode.getHash(null));
        }
        if (accessToken != null) {
            jwe.getClaims().setClaim("at_hash", accessToken.getHash(null));
        }
        jwe.getClaims().setClaim("oxValidationURI", ConfigurationFactory.instance().getConfiguration().getValidateTokenEndpoint());
        jwe.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.instance().getConfiguration().getOxOpenIdConnectVersion());
        ArrayList arrayList = new ArrayList();
        if (z) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                org.xdi.oxauth.model.common.Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
                if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                    arrayList.add(scopeByDisplayName.getDisplayName());
                } else if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                    Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                    while (it2.hasNext()) {
                        GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                        String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                        String name = attributeByDn.getName();
                        if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                            jwe.getClaims().setClaim(oxAuthClaimName, name.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn.getName()));
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getJwtAuthorizationRequest() != null && iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
            for (Claim claim : iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null) {
                    Object attribute = iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true);
                    if (attribute != null) {
                        if (attribute instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) attribute;
                            ArrayList arrayList2 = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList2.add(optString);
                                }
                            }
                            jwe.getClaims().setClaim(claim.getName(), arrayList2);
                        } else {
                            jwe.getClaims().setClaim(claim.getName(), (String) attribute);
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(iAuthorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwe.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute(this.configurationFactory.getConfiguration().getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(iAuthorizationGrant.getClient().getSectorIdentifierUri()) ? iAuthorizationGrant.getClient().getSectorIdentifierUri() : iAuthorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = iAuthorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwe.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jwe, new UnmodifiableAuthorizationGrant(iAuthorizationGrant)));
        }
        if (fromName == KeyEncryptionAlgorithm.RSA_OAEP || fromName == KeyEncryptionAlgorithm.RSA1_5) {
            RSAPublicKey publicKey = JwtUtil.getPublicKey(iAuthorizationGrant.getClient().getJwksUri(), (String) null, SignatureAlgorithm.RS256, (String) null);
            if (publicKey == null || !(publicKey instanceof RSAPublicKey)) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(fromName, fromName2, publicKey).encrypt(jwe);
        } else if (fromName == KeyEncryptionAlgorithm.A128KW || fromName == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(fromName, fromName2, iAuthorizationGrant.getClient().getClientSecret().getBytes("UTF-8")).encrypt(jwe);
            } catch (Exception e) {
                throw new InvalidJweException(e);
            } catch (StringEncrypter.EncryptionException e2) {
                throw new InvalidJweException(e2);
            } catch (UnsupportedEncodingException e3) {
                throw new InvalidJweException(e3);
            }
        }
        return jwe;
    }

    public static IdTokenFactory instance() {
        if ((Contexts.isEventContextActive() || Contexts.isApplicationContextActive()) ? false : true) {
            Lifecycle.beginCall();
        }
        return (IdTokenFactory) Component.getInstance(IdTokenFactory.class);
    }

    public static JsonWebResponse createJwr(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> set, boolean z) throws Exception {
        IdTokenFactory instance = instance();
        Client client = iAuthorizationGrant.getClient();
        return (client == null || client.getIdTokenEncryptedResponseAlg() == null || client.getIdTokenEncryptedResponseEnc() == null) ? instance.generateSignedIdToken(iAuthorizationGrant, str, authorizationCode, accessToken, set, z) : instance.generateEncryptedIdToken(iAuthorizationGrant, str, authorizationCode, accessToken, set, z);
    }
}
